You can add or modify an AWS Key Management Service (KMS) server from the Command Center. You can use credential file or access information to create the KMS server.
If the user account does not have the kms:Decrypt permission, then you can perform only backup operations, and you cannot perform auxiliary copy or restore operations.
For guidelines about key rotation, see Key Rotation Guidelines for Amazon Web Service Key Management Service Server.
Commvault supports the following Amazon S3 encryptions:
- Server-side Encryption with Amazon S3-managed keys (SSE-S3)
- Server-side encryption with customer-provided keys (SSE-C)
- Server-side encryption with AWS KMS keys (SSE-KMS)
- Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS)
Before You Begin
-
The Commvault user should have Edit Storage Policy \ Copy permissions to a storage policy copy to assign the AWS Key Management Service Server to the copy. For more information, see Storage Policy Management Permissions.
-
The AWS Key Management Service account that you configure must have the following permissions:
-
kms:CreateKey
-
kms:Decrypt
-
kms:DisableKeyRotation
-
kms:Encrypt
-
kms:ScheduleKeyDeletion
-
kms:TagResource
-
-
If you want to use credential file to create the KMS server, complete the folloiwng steps:
- Create a credential file with the following format:
[ProfileName] aws_access_key_id= aws_secret_access_key= region=
-
Copy the credential file to a system location on your CommServe computer and make a note of the location.
-
On your CommServe computer, create a system environment variable with the name "AWS_SHARED_CREDENTIALS_FILE" and set the value to the path of the credential file.
-
Restart the Commvault services on your CommServe computer.
For instructions, see Controlling Commvault Services on Clients.
- Create a credential file with the following format:
Procedure
-
From the navigation pane, go to Manage > Security.
The Security page appears.
-
Click the Key management servers tile.
The Key management servers page appears.
-
Click Add at the top right, and then select AWS KMS.
The Add AWS KMS dialog box appears.
-
In the Name box, enter a unique name for the key provider. This is the friendly name that will help you distinguish from other key management service servers.
-
From the Region list, select the region where AWS hosts the key management service.
-
From the Authentication type list, select an authetication type - Access and Secret Keys, Access and Secret Keys (Credential file) and IAM Role Policy.
-
If you selected Access and Secret Keys as authentication type, enter the following information:
-
In the Access key box, enter the access key.
-
In the Secret key box, enter the secret key.
-
-
If you selected Access and Secret Keys (Credential file) as authentication type, in the Profile name box, enter the profile name that you used in the credential file.
-
To use the Access Node, complete the following steps:
-
Move Use Access Node toggle key to the right, and then click Add.
The Access node dialog box appears.
-
From the Access Node list, select the MediaAgent that you want to use as an access node.
-
From the Authentication Type list, select an authentication type, and provide any additional information requested.
-
Click Submit.
-
-
Click Submit.